Swedish Film Institute Learning That An IP Address Is Not A Person

from the lessons-learned dept

Earlier this month, an anti-piracy tracking company traced the origin of some Swedish films found on The Pirate Bay... all the way back to the Swedish Film Institute. After some embarrassment and further investigation, the Institute is now insisting that it can't find any evidence that someone there leaked the films... and they're complaining that the anti-piracy firm DoubleTrace "aren’t... forthcoming with their evidence." Shocking, I'm sure. But the larger point is that the Swedish Film Institute is pointing out that the IP address alone does not identify the user. This is, of course, entirely true. It's what tons of people have been pointing out for years, and what the film industry (and the recording industry) has often mocked as being a silly excuse. So I'm in agreement with TorrentFreak when it says:

The important thing here is that when it comes to the allegations against SFI, and the refusal of the anti-piracy company to make their ‘evidence’ available, SFI should be given the benefit of the doubt.

But, unlike the hundreds of thousands of other ISP account holders around the world who receive letters claiming that they illegally uploaded a movie or song and therefore should pay compensation or, increasingly, be disconnected from the Internet, they are treated more respectfully, quite simply because of who they are.

An IP address is not a person, and unless anti-piracy companies want to let their ‘evidence’ be seen and tested in public, perhaps it’s better if they keep their allegations to themselves.

A license plate is not a person either. So if you see a masked man running out of a bank after robbing it and get his license plate number, no further investigation should take place.

After all, since the guy (or gal, really) had a mask on, there will be no definitive way to identify who was driving. A lot of people share cars. Also, it is likely the thief stole the car, used it to rob the bank, and returned it before the owner noticed it missing.

Instead, based on this flimsy evidence, the police have actually been sent to people's houses. They have asked the owners questions, and some of them have reportedly gotten warrants to look for further "evidence."

We should not tolerate living in such a police state. This is what happens when you have a society with corporate personhood.

Re:

Well, then, that's an interesting point: because the registration is linked to a single car owned by a single person, that actually seems like a logical place to start. In this case, an IP can have a one-to-many relationship, so logically the investigation should start from there.

Re: Re:

Well, then, that's an interesting point: because the registration is linked to a single car owned by a single person, that actually seems like a logical place to start. In this case, an IP can have a one-to-many relationship, so logically the investigation should start from there.

Instead, what gets sent are threats and demands to pay up.

You're absolutely right, what they should do is skip that part and just move directly to litigation to actually do the follow-up investigation.

Re: Re: Re:

The problem with your logic is that the police will talk to the owner and try to determine if there is probable cause to proceed with a criminal complaint, including talking to the owner and verifying their alibi.

The record companies don't bother determining guilt or innocence which is why they've sued dead people, grandmothers without computers and technologically inept people with their shotgun approach to litigation.

The reason we like this story is that it highlights recommenmdations that we make which you conveniently left out of your flawed analogy:
1) An IP address does not equal an individual so further research is needed once you have that IP address much like the police do further investigation once they have a plate number AND DESCRIPTION OF THE VEHICLE (which you don't get from an IP address).

2) The method of capturing the IP address should be subject to verification much like the defense counsel would vet how the plate number was obtained. Did it come from a witness reciting it from memory? Did someone take a picture? Was there a video camera and the plate came from a sceen grab? All questions that can enhance or detract from the quality of the identification. With the record companies, the process of capturing an IP adderss has never been vetted or reviewed. While it could be incredibly accurate, it could also be incredibly flawed. Developers make mistakes and bugs exist in code. It happens and we all know it. The record companies refusing to allow review show an unwillingness to stand behind their methods. Now, whether that's due to intent to defraud or they just don't want to run the risk that their methods are shown to be flaed is another question that will never get proven.

but, but, these are not individuals who have no money, no knowledge how to secure their wifi or have everything to lose. how on earth does anyone expect these to get their door battered down by a swat team, their computers taken away for forensic analysis, threatening letters with jail time and/or huge fines? get real, folks! these types get a different set of rules to play by to the general populace. plus they probably have enough money to defend themselves thoroughly. a RIAA/MAFIAA recipe for disaster!

Re: Re: Re:

Heck, that he didn't challenge you on comparing possible copyright infringement with a bank robber was what surprised me.

A car passes by driven by someone whose face you don't see and catch a few bars of the music they are listening to.
We will skip over, for the moment the fact that said driver has committed the offence of an unwanted and probably unlicensed public performance because we have bigger fish to fry (Don't worry, we won't forget and they will get taken to court for the public performance part later).
There is every chance that the music being played was an unauthorized copy (it could be... and given all the piracy it probably is),
obviously taking the licence plate number and using it for further identification makes sense and what makes further sense is that unless the registered owner can prove that the music being played was not an infringing copy and identify the person responsible for the infringement then they should face legal threats and costs.

Re:

You fail.

With your license plate analogy, the owner of the car has at all times been presumed innocent until proven guilty. Sure, let the police start their investigation with the owner, verify an alibi.
What you don't seem to understand is that the Sue-The-IP-Address-Account-Owner approach is just that. There is no further investigation. The method used to obtain the address has never been professionally vetted as to its accuracy. The person being sued is told that they are automatically guilty and must pay up to make the threat of going to court go away. Or they're disconnected from the internet simply because of accusations, with no further investigations to actually convict them in court.

Read the following sentence carefully. This is PUNISHMENT UPON ACCUSATION, not PUNISHMENT UPON CONVICTION.

Nobody ever claimed an IP address is a person. Talk about a red herring. An IP address and ISP logs can tell you which user was logged in at a given time, and from there you can move ahead legally as you see fit.

If the IP address comes back as a gateway or other "shared" access point (as in shared by the network admin, not someone running TOR), then it is much more difficult to determine who did the deed. There are ways, but they might require methods that would not pass legal muster in some areas.

However, to suggest an IP address is meaningless is pretty much bullshit.

Re:

No, it's exactly where it should be: the starting point of an investigation. The problem is, that most of the people doing the investi9gating assume that that is the only way to get an IP. It isn't. So you can understand why there are issues in using IP addresses as the sole basis for evidence.

In the same way that a car used in a robbery has the owner of the car questioned, an IP address can be used in the same way. However, ISPs (somewhat understandably, I might add) should be reluctant to use that as the sole piece of evidence before giving out privately-held information.

Re:

An IP address and ISP logs can tell you which user was logged in at a given time, and from there you can move ahead legally as you see fit.

Many inexperienced novices such as yourself contend so, but of course everyone with sufficient expertise knows this is utter nonsense. I suggest that you undertake the remedial education that you so obviously require in order to raise your clue level to one that is at least minimally acceptable for participation in this conversation.

Re: Re:

"No, it's exactly where it should be: the starting point of an investigation."

Exactly. Sadly, this is not the case, because ISPs (and the courts) seem to want to block discovery of subscriber information as a basis. It would be like seeing a license plate at the scene of a crime, and not being able to run the plate because the car manufacture objects. It's insane.

If the IP address is a valid starting point, then ISPs should be required to turn over that information when a complaint is filed in the courts. That many of them seem intent on fighting this tooth and nail, and then dragging their feet on providing the information even after being ordered is painful.

Re:

"Nobody ever claimed an IP address is a person. Talk about a red herring. An IP address and ISP logs can tell you which user was logged in at a given time, and from there you can move ahead legally as you see fit."
If using windows, administrator will show up as being logged on at all times. At least with the people I know who use windows.

Re: Re: Re:

"Exactly. Sadly, this is not the case, because ISPs (and the courts) seem to want to block discovery of subscriber information as a basis. It would be like seeing a license plate at the scene of a crime, and not being able to run the plate because the car manufacture objects. It's insane.

If the IP address is a valid starting point, then ISPs should be required to turn over that information when a complaint is filed in the courts. That many of them seem intent on fighting this tooth and nail, and then dragging their feet on providing the information even after being ordered is painful."

ISPs (and the courts) are not wanting to block discovery of subscriber information just because. The reason they are having issues with discovery is because it is not being used in a legitimate way. What the various groups are doing is presenting an IP address and asking for the information on the owner of said address, for no reason beyond wanting to know where to send a letter to attempt to get them to settle the matter out of court. Their "proof" against said person is at that point stated as being their IP address.

So they are not necessarily against the discovery and releasing of said information (the ISPs and courts that is), but what they are against is the abuse of the courts in order to obtain information to then send what are essentially extortion letters to people who may or may not have committed any wrongdoing. Because as has been noted, repeatedly, an IP address does not equal a person. There have been tests conducted and studies shown that the data gathering methods (in regards to harvesting IP addresses) are flawed and prone to error, that IP addresses can be spoofed, change, etc. And that is the problem.

Re: Re: Re:

If the IP address is a valid starting point, then ISPs should be required to turn over that information when a complaint is filed in the courts.

So any complaint alleging that IP address xxx.xxx.xxx.xxx engaged in unlawful conduct at time yy:yy:yy should compel an internet service provider to divulge subscriber information.

If I want to unmask every anonymous coward writing on Techdirt, all I need is going to court and allege that the IP address at a specific time engaged in illegal conduct with no other corroborating evidence.

Re: Re:

Re: Re:

In a sense they are. If you see my car at night, with my plate it doesn't mean I'm the one driving it. It needs further investigation. Now replace car with IP, driving with downloading and voilá, you DON'T know who downloaded and you CAN'T assume the driver is guilty of transporting infringing drugs (yes, I mixed the stuff on purpose).

So what have we learned from this good analogy kids? You need further investigation before concluding the person was downloading the car! Obviously, if he/she uses the safety encryption and proper vpn it may become quite impossible.

Re: Re: Re: Re:

"The record companies don't bother determining guilt or innocence which is why they've sued dead people, grandmothers without computers and technologically inept people with their shotgun approach to litigation."

Don't forget a laser printer. To be fair, that laser printer looked damn sneaky to me.

Re: Re: Re: Re:

If you can get a court to order it, yes. But you need to be aware that a court isn't going to order it without cause. I doubt you would have any evidence to work from.

Copyright holders don't "allege", they actually show the activity as part of the complaint. Sorry if that fucks you world view. Your post my be tagged as insightful, but it is just a good indication of how truly stupid the sheeple are here.

OK, so I've given the exact same amount of information that the typical big media companies give to ISPs. This is not proof...this is an allegation (by definition).

For all we know the "tracking" companies hired by big media could be randomly generating IP addresses, filenames, and dates and times, and then sending the letter to the ISP that came up in the WHOIS lookup.